How to Stop Your Mobile Number from Being Hijacked

AT&T on Tuesday (Feb. 27) issued its own memo warning customers about the scam, in which a crook impersonates a carrier customer and has a mobile number "ported out" to a new carrier or SIM card. With all calls and texts redirected to a new device, the crook can intercept two-factor authentication codes and hijack a customer's Apple, Google or online-banking accounts.

"You may not know this has happened until you notice your mobile device has lost service," wrote Brian Rexroad, AT&T vice president of security platforms, in an official AT&T blog posting. "Then, you may notice loss of access to important accounts as the attacker changes passwords, steals your money, and gains access to other pieces of your personal information."

In early February, T-Mobile alerted its customers to the scam following "an uptick in this illegal activity." Most recent anecdotal reports have seemed to involve T-Mobile rather than AT&T, Verizon or Sprint, although the scam can theoretically be carried out on any carrier.

In 2016, a top Federal Trade Commission official fell victim to a port-out scam when a crook walked into a phone store with a fake ID, pretended to be her, and charged two new iPhones to her account.

In all cases, the prevention for port-out scams involves using or creating a password or PIN on a wireless-carrier account so that crooks can't make changes without it.

How to Prevent Port-Out Scams (In Theory)

With AT&T, a passcode already has to be used when calling customer care, changing the passcode or making account changes in an AT&T retail store. To prevent port-out scams, the company advises adding an "Extra Security" option so that the passcode will be necessary to access the account online or to make changes in any retail store, even one not run by AT&T.

You must first go to the My AT&T webpage and log in using your phone number and passcode. (If you don't have a passcode, there's a link on that page to create one.) Under the "Wireless passcode" section, select "Manage extra security" and then check "Extra security."

Unfortunately, prepaid customers at AT&T can't get all these protections. They can't add "Extra Security," although they already need their PINs to make online account changes. But third-party retailers might not have to demand a PIN when a crook walks into a store and asks for a replacement SIM card on an AT&T prepaid account.

AT&T contract customers also can create passcodes of up to 24 alphanumeric characters, but AT&T prepaid customers can make only a four-digit PIN. The default PIN is the last four digits of the account holder's Social Security number, and even if that's changed, it takes only 10,000 guesses to crack.

Sprint makes you set up a PIN upon account activation, which it requires for port-out requests, according to a Sprint representative who spoke to independent security reporter Brian Krebs. Verizon told Krebs that account changes with it also require a PIN, which customers can create online or at Verizon retail stores.

T-Mobile recommends that its customers dial 611 from their T-Mobile phones, or 1-800-937-8997 from any other phone, to set up an account-protection PIN of six to 15 digits. Once that's done, you'll need to provide the PIN if you call customer service or go into a T-Mobile retail store.

The implication here, of course, is that until recently, you may not have needed a PIN at all to have a number ported when you called T-Mobile customer service or walked into a T-Mobile store. That may explain why port-out scams seem to affect T-Mobile more than any other carrier.

A commenter to Krebs' posting said that when he called T-Mobile to set up the account-protection PIN, the customer-care representative didn't know what he was talking about. A Reddit thread lists anecdotes of T-Mobile customer-care reps ignoring the account-protection PIN requirement, or letting callers override it by providing a Social Security number.